First published: Thu Aug 25 2022(Updated: )
An issue was discovered in ClusterLabs Hawk (aka HA Web Konsole) through 2.3.0-15. It ships the binary hawk_invoke (built from tools/hawk_invoke.c), intended to be used as a setuid program. This allows the hacluster user to invoke certain commands as root (with an attempt to limit this to safe combinations). This user is able to execute an interactive "shell" that isn't limited to the commands specified in hawk_invoke, allowing escalation to root.
Credit: cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
ClusterLabs Hawk | <=2.3.0-15 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID of this issue is CVE-2021-3020.
The severity of CVE-2021-3020 is high with a CVSS score of 8.8.
ClusterLabs Hawk versions up to and including 2.3.0-15 are affected by this vulnerability.
The hacluster user can exploit CVE-2021-3020 to invoke certain commands as root.
Yes, fixes and patches are available. Please refer to the references for more information.